We currently utilize a realm name to access our VPN so for example we access pulse through: https://mypsa5000.com/realmname
We have HSTS enabled and when testing:
curl -D- http://mypsa5000.com/realmname
We correctly get the "HTTP/1.0 301 Moved Permanently"
However, if we test just the base URL:
curl -D- http://mypsa5000.com
We no longer receive an HSTS header. (just a 404)
On a normal apache webserver requesting a page that should technically be a 404 still gives the "HTTP/1.1 301 Moved Permanently" instead.
As a result, scanning my pulse secure with any vulnerability scanner (qualeys, nessus) results the scanner saying HSTS has not been implemented.
We intentionally do not have a realm at */ as a form of security through obscurity I suppose
(no login prompt just because you happen to guess the domain or stumble across the IP)